Main Nav

Our Senior Administration has asked why we don't provide "open" wifi access to visitors, people walking through campus, etc. etc.   I've got a host of reasons, but thought I'd inquire as to whether any other schools (especially State/Public schools) provide OPEN WIFI ACCESS.  In short ... I've been asked "Why can't we be like Starbucks?"   :-(
 
I'd really appreciate any feedback.  Does your school provide open wifi for guests?  We have a process for legitimate guests to get guest accounts and wifi very expediently, but apparently that doesn't go far enough.  I'm concerned about implications of CALEA, risks to University reputation if we have individuals sitting in their car or on a park bench on campus accessing our wifi and doing strange/bad things, etc.  

THANKS
 
 
 
Carmen A. Rahm
Asst. VP for Info. Technology
Central Washington University
400 East University Way
Ellensburg, WA  98926
Direct Phone:          (509) 963-2925
Mobile Phone:         (360) 271-2992
ITS Office Phone:   (509) 963-2333
ITS Homepage:       www.cwu.edu/~its
GO GREEN! This email uses 100% recycled electrons.
No electrons were harmed while composing this message.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We were open but have moved to authenticated access. We have guest access accounts but people still have to log in. At Starbucks, you are paying for the access as part of the price of the coffee… it is not “free.”

 

Dr. Robert Paterson

Vice President, Information Technology, Planning & Research

Molloy College

Rockville Centre, NY 11571

516-678-5000 ex 6443

 

Carmen,

The exact same conversation has gone on at our campus?  We do not provide an open access wi-fi, and I have resisted requests to do so for precisely the reasons you mentioned.  I recently consulted with our university counsel regarding CALEA. Their advice to me was that we were interpreting CALEA correctly and should not be providing an open wi-fi network.  I have heard of a number of campuses providing open wi-fi only in their library as libraries are apparently exempt from some of the CALEA requirements.  We currently have a process for issuing guest accounts, but it is not at all automated.  We are in the process of implementing an automated, self-service guest access system that we expect with provide greater openness without violating CALEA.  

Joe
______________________________________
Joseph Moreau
Chief Technology Officer
State University of New York at Oswego
509 Culkin Hall
7060 State Route 104
Oswego, NY  13126
joseph.moreau@oswego.edu
315-312-5500 office
315-806-2166 mobile
315-312-5799 fax
______________________________________


Carmen,
 
We have open wifi at all of our campuses at the request of senior administration.  We have installed some Cisco gear to become compliant with CALEA as a result.  We have a splash page for the wireless and it asks them to click to agree to the AUP and give us an email address.  We do not verify the email address. 
 
We use Bluesocket devices to separate the traffic.  The open wifi network only has access to the internet and therefore only college resources accessible over the internet.
 
We've seen no real issues with it other than an significant increase in Internet bandwidth usage.
 
Dave

 
David Hoyt
Chief Information Systems Officer
 
Collin College     
Collin Higher Education Center
3452 Spur 399
McKinney, TX  75069
P - 972.599.3133   F - 972.599.3131
>>> On 11/10/2011 at 12:05 PM, in message <4EBBA1D0020000C600093F4E@hermes.cwu.edu>, Carmen Rahm <RahmC@CWU.EDU> wrote:
Our Senior Administration has asked why we don't provide "open" wifi access to visitors, people walking through campus, etc. etc.   I've got a host of reasons, but thought I'd inquire as to whether any other schools (especially State/Public schools) provide OPEN WIFI ACCESS.  In short ... I've been asked "Why can't we be like Starbucks?"   :-(
 
I'd really appreciate any feedback.  Does your school provide open wifi for guests?  We have a process for legitimate guests to get guest accounts and wifi very expediently, but apparently that doesn't go far enough.  I'm concerned about implications of CALEA, risks to University reputation if we have individuals sitting in their car or on a park bench on campus accessing our wifi and doing strange/bad things, etc.  

THANKS
 
 
 
Carmen A. Rahm
Asst. VP for Info. Technology
Central Washington University
400 East University Way
Ellensburg, WA  98926
Direct Phone:          (509) 963-2925
Mobile Phone:         (360) 271-2992
ITS Office Phone:   (509) 963-2333
ITS Homepage:       www.cwu.edu/~its
GO GREEN! This email uses 100% recycled electrons.
No electrons were harmed while composing this message.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We provide access to the Internet - and nothing else - to guests via wireless, no password required, for up to 12 hours.  It's useful for visiting speakers, prospective students, etc. so that they can get to the Web and their Web-based email. 

David
_____________________________________________________________________
David W. Sisk    Associate Director for Administration, Information Technology Services
Macalester College    /    1600 Grand Avenue    /     Saint Paul, Minnesota  55105-1899
http://www.macalester.edu/~sisk/                Voice (651) 696-6745,  FAX (651) 696-6778


So we ARE like Starbucks.  Buy a course, get free wireless …

At Seton Hall University we do the same as Molloy; users’ have to log in using their network credential to get wireless access, but we provide guest accounts for library patrons, temp SSID’s/passwords for conferences, and the like. 

I’d be interested in whether campuses that do provide open wireless still come under the “private network” exception to CALEA compliance.

Cheers,

Steve

Message from luikart.7@osu.edu

OSU recently began offering open wireless access, in addition to "guest" access.  

Open, or public, wireless access is provided under a contract with AT&T and does not use the university's ISP service.  This network does not require authentication and is fairly limited in terms of what you can access.    

OSU "guest" is an unencrypted network for so called sponsored guests of the university.  Access to this network requires authentication.  Guest is not a public network and provides more in terms of what you can access than the open (AT&T) network.

Here is a web site that describes OSU wireless services, but it has not been updated to reflect the new AT&T wireless offering: http://wireless.osu.edu/

Best Regards,
Rob  
  
Robert B. Luikart
Chief Information Officer
OSU College of Food, Agricultural, and Environmental Sciences
216 Kottman Hall
2021 Coffey Road
Columbus, OH  43210-1044
Office: 614.292.4774
http://cfaes.osu.edu/


From: Carmen Rahm <RahmC@CWU.EDU>
Reply-To: The EDUCAUSE CIO Constituent Group Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Thu, 10 Nov 2011 10:05:04 -0800
To: <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: [CIO] Open Wireless Access

Our Senior Administration has asked why we don't provide "open" wifi access to visitors, people walking through campus, etc. etc.   I've got a host of reasons, but thought I'd inquire as to whether any other schools (especially State/Public schools) provide OPEN WIFI ACCESS.  In short ... I've been asked "Why can't we be like Starbucks?"   :-(
 
I'd really appreciate any feedback.  Does your school provide open wifi for guests?  We have a process for legitimate guests to get guest accounts and wifi very expediently, but apparently that doesn't go far enough.  I'm concerned about implications of CALEA, risks to University reputation if we have individuals sitting in their car or on a park bench on campus accessing our wifi and doing strange/bad things, etc.  

THANKS
 
 
 
Carmen A. Rahm
Asst. VP for Info. Technology
Central Washington University
400 East University Way
Ellensburg, WA  98926
Direct Phone:          (509) 963-2925
Mobile Phone:         (360) 271-2992
ITS Office Phone:   (509) 963-2333
ITS Homepage:       www.cwu.edu/~its
GO GREEN! This email uses 100% recycled electrons.
No electrons were harmed while composing this message.
********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We have an open wifi / visitor based network. Gets them internet and no more.  Handy for visitors and conferences…parents etc.  Anymore some form of visitor based network is simply expected…

 

Brian

 

Creighton University

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Sisk
Sent: Thursday, November 10, 2011 12:22 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Open Wireless Access

 

We provide access to the Internet - and nothing else - to guests via wireless, no password required, for up to 12 hours.  It's useful for visiting speakers, prospective students, etc. so that they can get to the Web and their Web-based email. 

David
_____________________________________________________________________
David W. Sisk    Associate Director for Administration, Information Technology Services
Macalester College    /    1600 Grand Avenue    /     Saint Paul, Minnesota  55105-1899
http://www.macalester.edu/~sisk/                Voice (651) 696-6745,  FAX (651) 696-6778

Here at Roane State we have a “guest” access on our wireless network which restricts visitors to the Internet only.  We then provide a less restrictive access to active employees and registered students who use their own devices and finally we have an open access to Roane State owned devices we register on the wireless network that allow users to work as if they were at their desktop. 

Regards,

Tim

Tim Carroll

Assistant Vice President, Information Technology

Roane State Community College

 

We provide 3 (soon to be 2) SSIDs for wireless access. 

We have a “guest” SSID that is restricted to basically only allow HTTP traffic. This is open to anyone.  It’s been available on campus now for over a year and has made our lives much simpler when hosting events, etc.

We also have an unencrypted, NAC controlled (Bradford Campus Manager) SSID and a WPA2 SSID.  We intend to remove the unencrypted SSID sometime next year leaving only encrypted wireless access and guest.  We’ll probably use .1X for authentication on the WPA2 wireless as we’re planning to move away from our NAC system. 

 

We're offering a "Public" service as part of the pilot of a new suite of wireless offerings that also includes:
- Authenticated, encrypted WiFi
- Sponsored Guest for anticipated visitors who require high speed access
- eduroam for access to participating institutions, and

"Public- Public access is unsecured one-hour (renewable) limited bandwidth Web access. It does not require an ePantherID and password or device set-up.  The public access option is not recommended for faculty/staff University business use as the connection is unencrypted and not secure."

More info on all four components of the pilot is at: http://www4.uwm.edu/projects/uwm_wi_fi/

- David

Deputy CIO David Stack, Ph.D.
University of Wisconsin-Milwaukee

Our Senior Administration has asked why we don't provide "open" wifi access to visitors, people walking through campus, etc. etc.   I've got a host of reasons, but thought I'd inquire as to whether any other schools (especially State/Public schools) provide OPEN WIFI ACCESS.  In short ... I've been asked "Why can't we be like Starbucks?"   :-(
 
I'd really appreciate any feedback.  Does your school provide open wifi for guests?  We have a process for legitimate guests to get guest accounts and wifi very expediently, but apparently that doesn't go far enough.  I'm concerned about implications of CALEA, risks to University reputation if we have individuals sitting in their car or on a park bench on campus accessing our wifi and doing strange/bad things, etc.  

THANKS
 
 
 
Carmen A. Rahm

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

We have had open visitor since the iphone 1 came out. This is on a VLAN that takes you outside the campus firewall and is behind an IPS that will block P2P. While this was for visitors it was heavily used by campus people because our campus wifi uses captive portal that made you login, a pain on smart phones.

We just rolled out EDUROAM ( http://EDUROAM.org/ ) and that supports 802.1x and we are planning to use that for people on campus so we get auto-login of devices and WPA2 support for security. I use this on my iphone and ipad and it works great. In addition, this allows colleagues from other institutions on EDUROAM to auto login to the wireless using their own institutional credentials.

Regarding CALEA, in discussing things with our legal council, we felt that since wireless does not bleed outside the campus boundaries and the case law on this was not well defined we would err in supporting greater usability and monitor the level of security issues that arose. We have not seen many security issues due to the IPS.

Jack


Jack Suess
UMBC Division of Information Technology (DoIT)

We do not support ad-hoc, walk-on access.  We view it as a regulatory and cost issue. 
Regulatory in that we don't know how we would comply with DMCA violations.
Cost because we can keep adding wireless access points and backplane network capacity to handle the number of people who'd come through the campus.
Note we are in an urban setting.

There are short term and long term visitor provisions.
Short term for conference meetings is coordinated by the event manager is specific locations, like our historic house used for meetings or our campus student union meeting space.
Visitors to the library can present identification and get short term access (something like 24-48 hours).
Longer term visitors, like guest researches, can get a guest account once identity is proved and the department authorizes the sponsorship.

Theresa

I would normally go off on my standard network security rant using child porn as an example and citing things like the “20 Critical Security Controls” at this point. I would also point out what I think is our obligation to not be gaping security holes used by people as launching points for attacks against others.

Instead, I’ll ask a different question. Wireless networking costs money for hardware, software, support staff, internet bandwidth, etc. Every guest user in your RF space is taking bandwidth away from every other user in the area so they are reducing the potential performance of your wireless network. When their stuff doesn’t work right they take valuable staff time away from “paying customers” when they ask for help. If they do something illegal then I’m stuck with damage to the college’s reputation as well as cleaning up the mess, dealing with law enforcement, etc. Why would we give this away to just anyone who happens to be within range of our access points? I’ve been trying to think of an example of anything else of similar cost that we give away here on our campus. To me it’s like leaving almost all of the doors on campus unlocked 24x7 and not caring who wanders into our buildings or what they do while they are here. We don’t do that with physical security so why do it with network security?

I’m just not seeing the logic of doing open, unauthenticated guest network access of any kind. I know it is easier to just do it that way than deal with people yelling at us because it takes two or five minutes to show some ID and get a guest account. I’ve been yelled at more than once. I would bet that in most, if not all, cases where an open system was put in place it was because of layer 8 and 9 pressure to make things “easy” for users. If that’s not the case, I’d be fascinated to hear the logic used.

The information security triad is Confidentiality, Integrity and Availability. I don’t think availability should trump in this case. The network you save may be your own. Oops, I think I just did a security rant.

--
Ron Parker, Director of Information Technology, Brazosport College
Voice: (979) 230-3480             FAX: (979) 230-3111
http://www.brazosport.edu

This e-mail sent from my non-mobile, 64-bit, quad core, Windows 7 workstation.

 

 

Ron,

A couple of comments.

1. Our model makes this no less secure than the public internet.

2. The IPS we have does web content filtering and P2P. If you do set up a guest wireless, make sure you are doing content filtering. We have not gotten any DMCA complaints.

3. Why do this? Convenience. This is not about giving resources to the community, though on visit day parents do appreciate it; however > 98 percent of the usage, is our campus members. They like the convenience of pulling out their iPhone and connecting automatically.  As I said, I hope to move our campus community members to eduroam but that will take time. The reason your administration is asking for this is because they probably hate typing in a password, I know mine did.

3B. Why  the community doesn't squat on free wireless? -- Parking. To drive to campus, pay for parking (free wireless but no free parking :-),  and then walk to an academic building, library, or commons to get "free" wireless is crazy when we have many starbucks and other places offering free wireless AND FREE Parking.

For those where parking isn't a scarce resource this strategy might not work.

Take Care,

Jack

Eric
And the reply.

I will quit spamming you now.

  From: Jack Suess [jack@UMBC.EDU]
  Sent: 11/10/2011 05:21 PM EST
  To: CIO@LISTSERV.EDUCAUSE.EDU
  Subject: Re: [CIO] Open Wireless Access


Ron,

A couple of comments.

1. Our model makes this no less secure than the public internet.

2. The IPS we have does web content filtering and P2P. If you do set up a guest wireless, make sure you are doing content filtering. We have not gotten any DMCA complaints.

3. Why do this? Convenience. This is not about giving resources to the community, though on visit day parents do appreciate it; however > 98 percent of the usage, is our campus members. They like the convenience of pulling out their iPhone and connecting automatically.  As I said, I hope to move our campus community members to eduroam but that will take time. The reason your administration is asking for this is because they probably hate typing in a password, I know mine did.

3B. Why  the community doesn't squat on free wireless? -- Parking. To drive to campus, pay for parking (free wireless but no free parking :-),  and then walk to an academic building, library, or commons to get "free" wireless is crazy when we have many starbucks and other places offering free wireless AND FREE Parking.

For those where parking isn't a scarce resource this strategy might not work.

Take Care,

Jack

Carmen,

Hood College is not a state/publicly funded institution.  We started an open “guest” SSID this semester with limited bandwidth / port 80 only.  Our stats show a high rate of usage (20-25%) despite the availability of higher speed connections.  I suspect that some of our neighbors are joining us, but the expectation of Starbucks-like availability has triggered this experiment.  Unfortunately,  I do not know if we will be able to put Pandora back in her box.

Neil Fay, CTO, Hood College

This isn't exactly analogous, but we don't require that individuals obtain a guest account to utilize the restrooms or drink from the water fountains in our buildings. There is a cost to maintaining these facilities, and some risk of abuse, yet we allow a reasonable level of access by non-campus persons. As Jack noted, one of the business cases for offering a reasonable (i.e., appropriately limited) level of access to wireless is when parents are visiting. Given the increasingly competitive market for students and (IMO) lack of much competitive differentiation between many college campuses, it might not take much for a parent of a prospective student to decide to take their dollars elsewhere. Perhaps this is just a little thing, but I know that I've decided to take my business elsewhere in other contexts for more trivial irritations. Whether we like it or not, the consumer market has changed the landscape for us. We can argue that we are not a Starbucks until we are blue in our collective faces, but it doesn't play well in a future of increasing consumerization and democratization of technology. I agree that we do have to weigh security/privacy/resource concerns against customer expectations and do our best to strike a balance, but I think that's part of what we're getting paid for. My two pence, Melissa -- Melissa Woo, Ph.D. (mzwoo@uwm.edu) Director, Network & Operations Services University Information Technology Services University of Wisconsin-Milwaukee
Even the use of the rest rooms is not without risks. Many years ago, my father worked in the Dean of Students office of a nonresidential urban institution. They had several instances of non-university related males entering the women's rest rooms and assaulting female students. Catching and convicting the suspects proved to be extremely difficult. Anytime that we hold out any of our services for public access, we are going to have to confront both the good and the bad consequences of doing so and way the costs against the benefits. We must also understand that some members of the community will always say that the costs can be ignored. --Randy Charles R. Williams Chief Information Officer Benedictine University 5700 College Road Lisle, IL  60532 630-829-6025
Jack, I think you at UMBC have a practical and sensible approach to open wireless.  It handles the DMCA complaint and as you point out, is no less secure than the public internet.  There may be problems for some campuses with a specific geographic location that causes issues with "freeloaders" but I think a majority of campuses have some natural physical limitations (parking, etc) that reduce that risk.  Furthermore, the proliferation of general wireless availability continues to decrease campuses as the only location for such access.   There was a time when people liked affiliation with their local college or university for a "free" email account.  That is no longer the case.
Most importantly, as mobility continues its significant growth as the primary way to connect, I think we in the higher ed community have both an opportunity and an obligation to lead the way in finding reasonable ways to serve our internal and external communities by facilitating use of wireless.  Assuming one steadfast core of our collective mission is an open and orderly flow of communication between students, scholars and the public, we need to find options such as UMBC to use wireless to meet that mission.
Sure there are costs involved, but consider the broader returns - the campus that facilitates easier (but controlled as UMBC has) wireless access may attract more conferences and meetings involving the community or other institutions that can lead to more cooperative projects and grants and support for expanding university programs (to be crass about it read that as more revenue).  Can the local campus become a focal point in innovative ways to embrace mobility and wireless access that can engage other sectors of the community, including providers, local government, local business that can expand wireless access across the surrounding community that grows capacity?  
Some of you may be aware of the Gig.U effort underway ( http://www.gig-u.org ) that is a university community next generation innovation project with about 30 some participating universities and communities to find sustainable ways to extend high speed broadband to the doorstep of communities surrounding campuses.  Some of those ways may include wireless.  

Steve Smith
University of Hawaii

I completely agree with the idea that the consumer market has changed the expectations.  Our campus hasn't caught on to the idea that they need to support wireless like they do restrooms.  I tried points like this, emphasizing the need to commit to wireless and the link to mobile services.  We can't move services to mobile platforms if we are not committing to wireless.  But I'm struggling offering this to paying customers; the commitment isn't there.  Sort of like the restaurant with the sign "Restrooms are for paying customers only."

Theresa

We offer authenticated guest wireless, but make it very easy to get guest network accounts without assistance from IT.
  • We have a web page where any student, faculty, or staff can request a guest network login and password for anyone.  
  • Students can request accounts that last up to 7 days. Faculty and staff can request accounts that last up to a year.
  • The requester enters the name and an email address of the guest. They are not responsible for what the guest does, but we ask them to accurately identify the guest.
  • The same mechanism can be used to create a conference/event login for the duration of events of a  few days or less.  Typically, the login and password are projected on-screen.
Because of CALEA, we had minimal push-back for implementing authentication. Most faculty and staff would rather have this than have us enable the monitoring that being a "public" network would require.

Rick

Here is some data from the EDUCAUSE Core Data Service that might help you, Carmen: * Almost three-quarters of institutions currently require end-user authentication for all institutionally-provided wireless access: 71% of public institutions and 74% of private institutions. * Most institutions have a separate authentication process for guest wireless access, although it's more common in private (74%) than public (61%) institutions. * Only 30% of private and 35% of public institutions provide open access to the public Internet. I've attached a spreadsheet with this data for various institutional types, and with all the other end-user authentication items we measured. I hope you find this useful. -Susan Susan Grajek Vice President for Data, Research & Analytics EDUCAUSE Uncommon Thinking for the Common Good http://educause.edu 4772 Walnut Street, Suite 206, Boulder, CO 80301-2538 202-331-5350 (phone) sgrajek@educause.edu
Cost is an interesting conversation.  As is the whole consumer device debate.

However, it seems that the whole CALEA law is being ignored by many institutions in this conversation.  Starbucks and hotels are not subject to those same laws, so we are not comparing apple to apple here,  Starbucks or a hotel has an ISP to provide their internet service, however in EDU, we ARE the ISP in most cases.  That is the difference, and where the CALEA laws come into play.

Of those schools who have chosen to allow free and "OPEN" hotspot access, how many of you have consulted your legal team?  Can anyone give me specific examples of legal cases that exempt us from CALEA to allow open network access, hardwired or WiFi?  Is so, many other institutions would re-evaluate our setups.  Perhaps some schools simply assume the risk, and are willing to pay the huge expense to modify their networks to allow on the spot, anytime taps of all network and VOIP traffic by the government?  I'd also be interesting in hearing of how many schools don't find those taps to be an issue.


On 11/10/2011 6:47 PM, Theresa Rowe wrote:
I completely agree with the idea that the consumer market has changed the expectations.  Our campus hasn't caught on to the idea that they need to support wireless like they do restrooms.  I tried points like this, emphasizing the need to commit to wireless and the link to mobile services.  We can't move services to mobile platforms if we are not committing to wireless.  But I'm struggling offering this to paying customers; the commitment isn't there.  Sort of like the restaurant with the sign "Restrooms are for paying customers only."

Theresa

I think Dave has this exactly right.


Charlie McMahon

Vice President of Information Technology

Chief Technology Officer

Tulane University

504-988-8555 (O)

504-256-6688 (C)


From: Dave Koontz <dkoontz@MBC.EDU>
Reply-To: EDUCAUSE Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Date: Thu, 10 Nov 2011 20:19:07 -0500
To: EDUCAUSE Listserv <CIO@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [CIO] Open Wireless Access

Cost is an interesting conversation.  As is the whole consumer device debate.

However, it seems that the whole CALEA law is being ignored by many institutions in this conversation.  Starbucks and hotels are not subject to those same laws, so we are not comparing apple to apple here,  Starbucks or a hotel has an ISP to provide their internet service, however in EDU, we ARE the ISP in most cases.  That is the difference, and where the CALEA laws come into play.

Of those schools who have chosen to allow free and "OPEN" hotspot access, how many of you have consulted your legal team?  Can anyone give me specific examples of legal cases that exempt us from CALEA to allow open network access, hardwired or WiFi?  Is so, many other institutions would re-evaluate our setups.  Perhaps some schools simply assume the risk, and are willing to pay the huge expense to modify their networks to allow on the spot, anytime taps of all network and VOIP traffic by the government?  I'd also be interesting in hearing of how many schools don't find those taps to be an issue.


On 11/10/2011 6:47 PM, Theresa Rowe wrote:
I completely agree with the idea that the consumer market has changed the expectations.  Our campus hasn't caught on to the idea that they need to support wireless like they do restrooms.  I tried points like this, emphasizing the need to commit to wireless and the link to mobile services.  We can't move services to mobile platforms if we are not committing to wireless.  But I'm struggling offering this to paying customers; the commitment isn't there.  Sort of like the restaurant with the sign "Restrooms are for paying customers only."

Theresa

I'm glad I initiated this thread. The number of responses has been overwhelming and extremely beneficial. Keep 'em coming and thanks much. This interaction is what makes this listserv so beneficial. >>> "McMahon, Charles P" 11/10/11 19:32 PM >>> I think Dave has this exactly right. Charlie McMahon Vice President of Information Technology Chief Technology Officer Tulane University 504-988-8555 (O) 504-256-6688 (C) From: Dave Koontz > Reply-To: EDUCAUSE Listserv > Date: Thu, 10 Nov 2011 20:19:07 -0500 To: EDUCAUSE Listserv > Subject: Re: [CIO] Open Wireless Access Cost is an interesting conversation. As is the whole consumer device debate. However, it seems that the whole CALEA law is being ignored by many institutions in this conversation. Starbucks and hotels are not subject to those same laws, so we are not comparing apple to apple here, Starbucks or a hotel has an ISP to provide their internet service, however in EDU, we ARE the ISP in most cases. That is the difference, and where the CALEA laws come into play. Of those schools who have chosen to allow free and "OPEN" hotspot access, how many of you have consulted your legal team? Can anyone give me specific examples of legal cases that exempt us from CALEA to allow open network access, hardwired or WiFi? Is so, many other institutions would re-evaluate our setups. Perhaps some schools simply assume the risk, and are willing to pay the huge expense to modify their networks to allow on the spot, anytime taps of all network and VOIP traffic by the government? I'd also be interesting in hearing of how many schools don't find those taps to be an issue. On 11/10/2011 6:47 PM, Theresa Rowe wrote: I completely agree with the idea that the consumer market has changed the expectations. Our campus hasn't caught on to the idea that they need to support wireless like they do restrooms. I tried points like this, emphasizing the need to commit to wireless and the link to mobile services. We can't move services to mobile platforms if we are not committing to wireless. But I'm struggling offering this to paying customers; the commitment isn't there. Sort of like the restaurant with the sign "Restrooms are for paying customers only." Theresa

We follow what appears to be the most typical model where all wireless access requires the users to logon to the network, where all faculty, staff and students already have the appropriate logon credentials, and where there is a mechanism in place to create temporary guest accounts as needed.  And we certainly strive to have 100% coverage of all the public, indoor areas of all our campuses.  I’ve been very happy with this model for all the reasons that have been so eloquently stated by others in this thread.

 

I’m a user, too, and I’ve been perfectly happy for years to logon to the campus network with my laptop, for example if I take it somewhere on campus to give a presentation.  But as a user, I’m finding that having to logon to the network every time I want to connect my iPhone to the campus wireless network to be very off putting.  At home, my wireless network is secure and my iPhone remembers the key to connect to my network.  But at work, when I use my iPhone to connect to the campus wireless network, I have to interact with the security model at a totally different level.  I’m taken to a Web page where I have to enter my username/password every single time I use the iPhone, and it proves much easier just to turn off Wifi on my iPhone at work and use 3G instead.  This is obviously not an optimal solution.

 

So I’m wondering if there might not be a way to enter my username/password into my iPhone a single time and have it logon to the campus network for me automatically the same way the iPhone can remember the encryption key for my home wireless network.  Is there an app for that?  I was thinking that it might be  a little scary for my iPhone to store my username/password, but actually my iPhone already stores my username/password because the iPhone is configured to connect to my campus E-mail.  This mobile stuff is really a game changer.

 

Jerry

 

----------------------------------------------------------------------------------------
Jerry Bryan • Vice President of Information Services • Pellissippi State • 10915 Hardin Valley Road • P.O. Box 22990 • Knoxville, TN 37933-0990

Voice: 865 539-7127 •  Fax: 865 539-7653 •  E-mail: jbryan@pstcc.edu

 

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Perhaps I’m missing something but I’m not sure I would agree that open access, even with filtering, is no less secure than the public internet. I understand the idea of trying to reduce DMCA issue risks with filtering and that makes some sense. To me the issue is one of being able to track activity back to an endpoint. At my home my endpoint can be identified by my DSL provider. For a mobile device, the mobile service provider can identify the endpoint. In your model, there is no identification of the endpoint other than the MAC address of the device. I have been involved in enough security investigations, including FBI activities, to know that that would not be sufficient to determine who did what.

 

This link http://www.wired.com/threatlevel/2011/08/hacking-from-mcdonalds describes an incident where someone used the open access wi-fi at a McDonald’s restaurant to crash the network and server infrastructure of a company. They basically deleted all of their virtual servers. This person was caught because they were dumb enough to use a credit card to make a purchase at the same restaurant during the time the illegal activities were taking place. A smarter criminal would have sat in a parking lot a few hundred yards away and used a directional antenna. This person no doubt had access to various secured and non-anonymous networks but where did they chose to go to do their illegal activity? If you offer open, unauthenticated access to your wi-fi, how are you going to prevent someone from doing the same thing? How will you assist law enforcement with tracking down the criminal when they determine that your network was involved?

 

--
Ron Parker, Director of Information Technology, Brazosport College
Voice: (979) 230-3480             FAX: (979) 230-3111
http://www.brazosport.edu

 

This e-mail sent from my non-mobile, 64-bit, quad core, Windows 7 workstation.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

I’ve tried a variety of devices (Laptop, ThinkPad Tablet, Atrix, iPad, etc.) on Seton Hall’s network and I typically only have to authenticate once (but I do have to re-enter my credentials every time I change my network password, which at SHU is required every 90 days for employees and every 180 days for students).  We use 802.1x in conjunction with AD, and my iPad, for example, has no problem with this; it remembers my AD credentials and even politely reminds me to re-enter them after I change my network password (some older devices aren’t as polite, but they do all seem to work).

 

In speaking with my network folks yesterday, they reminded me that we do provide an open 802.11g SSID in the residence halls, but they’re careful to contain the open SSID there insofar as possible (they use many AP’s, typically one for each suite, so that the gain and bleed are both fairly low).  The issue that solves is that students bring gaming devices, Tivo’s, and the like that do not “play well” with 802.1x and AD (especially older devices), so this gives them a way to connect their gaming devices.  Networking tells me that most devices in the residence halls are connecting to the 802.11n SSID via 801.x and AD even though they have an open SSID available there (and that makes sense, because most of the devices are mobile and so are going to have the students credentials stored already).  Because the residence halls are closed (students need to swipe in, and their guests need to sign in and show ID), we haven’t had a problem with this - - so far.

 

I, too, am enjoying the discussion.

 

Best regards,

 

Steve

 

Laws and resources aside, I wonder what we believe our obligation is when we provide access to the internet.

 

I realize the natural conflict  between the role of the our institutions in providing public good vs. security matters, but I think this maybe more of a fundamental question about the benefits and perils of having “anonymous”  internet user in today’s society and our role in dealing with that.  

 

Hossein Shahrokhi

CIO, UH-Downtown

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dave Koontz
Sent: Thursday, November 10, 2011 7:19 PM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Open Wireless Access

 

Cost is an interesting conversation.  As is the whole consumer device debate.

However, it seems that the whole CALEA law is being ignored by many institutions in this conversation.  Starbucks and hotels are not subject to those same laws, so we are not comparing apple to apple here,  Starbucks or a hotel has an ISP to provide their internet service, however in EDU, we ARE the ISP in most cases.  That is the difference, and where the CALEA laws come into play.

Of those schools who have chosen to allow free and "OPEN" hotspot access, how many of you have consulted your legal team?  Can anyone give me specific examples of legal cases that exempt us from CALEA to allow open network access, hardwired or WiFi?  Is so, many other institutions would re-evaluate our setups.  Perhaps some schools simply assume the risk, and are willing to pay the huge expense to modify their networks to allow on the spot, anytime taps of all network and VOIP traffic by the government?  I'd also be interesting in hearing of how many schools don't find those taps to be an issue.


On 11/10/2011 6:47 PM, Theresa Rowe wrote:

I completely agree with the idea that the consumer market has changed the expectations.  Our campus hasn't caught on to the idea that they need to support wireless like they do restrooms.  I tried points like this, emphasizing the need to commit to wireless and the link to mobile services.  We can't move services to mobile platforms if we are not committing to wireless.  But I'm struggling offering this to paying customers; the commitment isn't there.  Sort of like the restaurant with the sign "Restrooms are for paying customers only."

Theresa

I have enjoyed this engaging conversation so far, even though I have not come to the end of the thread. 

One thing I've been struck by is how many of the contributions cite either theoretical considerations, rare but egregious events (McDonald's support for virtual machine deletion) and personal experience.  I'm curious whether the adherents of either model (open vs closed) have hard data from their customers about how they value one experience over another.  What do the users say, for example, when asked about their wireless experience?

I don't have this data myself, other than anecdotally.

thanks,
Joseph

Joseph Vaughan CIO/Vice-President for Computing and Information Services Harvey Mudd College vaughan@hmc.edu 909 621 8613 free/busy info at http://tinyurl.com/vaughanfreebusy
On 11/10/2011 01:35 PM, Parker, Ron wrote:

I would normally go off on my standard network security rant using child porn as an example and citing things like the “20 Critical Security Controls” at this point. I would also point out what I think is our obligation to not be gaping security holes used by people as launching points for attacks against others.

Instead, I’ll ask a different question. Wireless networking costs money for hardware, software, support staff, internet bandwidth, etc. Every guest user in your RF space is taking bandwidth away from every other user in the area so they are reducing the potential performance of your wireless network. When their stuff doesn’t work right they take valuable staff time away from “paying customers” when they ask for help. If they do something illegal then I’m stuck with damage to the college’s reputation as well as cleaning up the mess, dealing with law enforcement, etc. Why would we give this away to just anyone who happens to be within range of our access points? I’ve been trying to think of an example of anything else of similar cost that we give away here on our campus. To me it’s like leaving almost all of the doors on campus unlocked 24x7 and not caring who wanders into our buildings or what they do while they are here. We don’t do that with physical security so why do it with network security?

I’m just not seeing the logic of doing open, unauthenticated guest network access of any kind. I know it is easier to just do it that way than deal with people yelling at us because it takes two or five minutes to show some ID and get a guest account. I’ve been yelled at more than once. I would bet that in most, if not all, cases where an open system was put in place it was because of layer 8 and 9 pressure to make things “easy” for users. If that’s not the case, I’d be fascinated to hear the logic used.

The information security triad is Confidentiality, Integrity and Availability. I don’t think availability should trump in this case. The network you save may be your own. Oops, I think I just did a security rant.

--
Ron Parker, Director of Information Technology, Brazosport College
Voice: (979) 230-3480             FAX: (979) 230-3111
http://www.brazosport.edu

This e-mail sent from my non-mobile, 64-bit, quad core, Windows 7 workstation.

 

 

Joseph,

Our community preferred open, unauthenticated wireless. What's not to like?

However, we made guest account creation as easy as possible. Anyone on campus with an account can create an account for his or her guests. We walked department administrative assistants through the process, since they often take care of guest speakers, etc. I spoke at faculty meetings on what was coming and why we were doing it (CALEA). By providing that context, we had almost no resistance.

Rick

On behalf of David Swartz, CIO and Eric Weakland, Director IT Security:

At American University (AU) we have taken what we believe to be a balanced approach to wireless access: Balancing security, technical configuration and usability.  Below are the major use cases we support.  

Technical:  AU uses an Aruba distributed wireless controller/thin AP architecture.  It is integrated with our Impulse SafeConnect NAC.  

General student/staff/faculty/community member access:  Customers connect to a wireless “captive portal” one time for configuration.  This network drives the customer through a workflow, preparing them to authenticate their computer to the University’s 802.1x  WPA2 encrypted wireless network. The captive portal uses the Cloudpath Xpressconnect supplicant on all supported platforms (PC/Mac) and for other platforms provides instructions on how to manually configure their endpoint.  After initial configuration of their 802.1x supplicant, customers don't have to re-authenticate every time they want to use the encrypted network - their supplicant does it for them.  This also makes it possible to identify and contact the owners or at least the sponsor of wireless endpoints which are infected with malware and/or behaving badly.  Non 802.1x mobile endpoints and game consoles may also use the captive portal network to access the internet on a limited basis.  Our Network Access Control  (NAC) solution profiles these sorts of devices and where appropriate, requires authentication.

When a PC/MAC endpoint is configured, the computer authenticates via 802.1x to our secure network at every session.

Guests in general:  Any AU staff or faculty may create, through a simple web application, a visitor account for up to 2 weeks.  The name, duration, and phone number of the guest are required.  The account is active and ready for use 3-5minutes after creation.  Accounts needed for longer than 2 weeks are provisioned a special “contractor/external” account, with a AU sponsor and an expiration/review date.  Sponsors are queried at the expiration date to see if the account is still needed, and when the account is generated a notice is displayed reminding the sponsor that the visitor's use must be consistent with AU policy. The web application to generate visitor accounts is accessible via the AU Portal or customers may call the HelpDesk for assistance.

Guest for academic programs/functions:  Local support providers around campus may “batch” create accounts for large groups for up to 2 weeks. The name, duration, and phone number of the guest are required.

Guests for Library/specific “public” locations: Bulk guest accounts are created in advance for each day.  Guests may request a “visitor” account by going to the lending/information desk and identifying themselves.  The visitor account comes on a printed slip of paper, reminding the visitor that their use/access must be consistent with AU policy.


From: "Jack Suess" <jack@UMBC.EDU>
Date:
November 10, 2011 3:27:09 PM EST
To:
CIO@LISTSERV.EDUCAUSE.EDU
Subject:
Re: [CIO] Open Wireless Access
Reply-To:
"The EDUCAUSE CIO Constituent Group Listserv" <CIO@LISTSERV.EDUCAUSE.EDU>

We have had open visitor since the iphone 1 came out. This is on a VLAN that takes you outside the campus firewall and is behind an IPS that will block P2P. While this was for visitors it was heavily used by campus people because our campus wifi uses captive portal that made you login, a pain on smart phones.

We just rolled out EDUROAM ( http://EDUROAM.org/ ) and that supports 802.1x and we are planning to use that for people on campus so we get auto-login of devices and WPA2 support for security. I use this on my iphone and ipad and it works great. In addition, this allows colleagues from other institutions on EDUROAM to auto login to the wireless using their own institutional credentials.

Regarding CALEA, in discussing things with our legal council, we felt that since wireless does not bleed outside the campus boundaries and the case law on this was not well defined we would err in supporting greater usability and monitor the level of security issues that arose. We have not seen many security issues due to the IPS.

Jack


Jack Suess
UMBC Division of Information Technology (DoIT)

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.